Passwords and Authentication Research

To combat both the inherent and user-induced weaknesses of
text-based passwords, administrators and organizations typically
institute a series of rules – a password policy – to which users must
adhere when choosing a password. There is consensus in the literature that a properly-written
password policy can provide an organization with increased
security. There is, however, less accord in describing just what such
a well-written policy would be, or even how to determine whether a
given policy is effective. Although it is easy to calculate the
theoretical password space that corresponds to a particular password
policy, it is difficult to determine the practical password
space. Users may, for example, react to a policy rule requiring them
to include numbers in passwords by overwhelmingly picking the same
number, or by always using the number in the same location in their
passwords. There is little published empirical research that studies
the strategies used by actual users under various password
policies. In addition, some password policies, while resulting in
stronger passwords, may make those passwords difficult to remember or
type. This may cause users to engage in a variety of behaviors that
might compromise the security of passwords, such as writing them down,
reusing passwords across different accounts, or sharing passwords with
friends. Other undesirable side effects of particular password
policies may include frequently forgotten passwords. In fact, the harm
caused by users following an onerously restrictive password policy may
be greater than the harm prevented by that policy. In this project,
we seek to advance understanding of the factors that make creating and
following appropriate password policies difficult, collect empirical
data on password entropy and memorability under various password
policies, and propose password policy guidelines to simultaneously
maximize security and usability of passwords. We also explore the
security and usability of some new types of passwords.

Password Guessability
Service - Our free service for the research community that
estimates plaintext passwords' guessability: how many guesses a
particular password-cracking algorithm with particular training
data would take to guess a password.